Finding and Fixing Mixed Content Errors

When your web application is severed over HTTPS, you should make sure that all resources (Images, CSS, JavaScript) are linked to a secure source. If there are resources being served over an insecure connection, your visitors may see a "mixed content" warning. These include both internal and external (3rd Party) sources.

When a link is added with a FULL PATH, make sure it starts with HTTPS://.

Checking Your Resources

Here's a simple tool that will tell you about any insecure items on your SSL page!
whynopadlock.com

Chrome Developer Tools

Open Developer Tools: View > Developer > Developer Tools

Go to the "Security" tab

If there are any errors or warning make sure the "Console" is open by clicking the errors or warnings in the top right. This will give you detail about which resources have issues

Firefox Developer Tools

Open Developer Toolbar: Tools > Web Developer > Developer Toolbar

Expand the toolbar by clicking any error

Choose the "Console" tab to see details of insecure content

New Terms

Self-Signed Certificate: a self-signed certificate is an SSL certificate that is not signed by a trusted, central authority in the SSL/TLS certificate ecosystem.

Nginx and Apache: two of the more popular web server/proxies that you can run a web app over.

Added Security Note

Sometimes you may still receive a warning when all resources are being loaded via https. One possible culprit is a server that supports outdated security protocols. whynopadlock.com will also give you warnings about out dated protocols.